WordPress security is becoming a much bigger issue nowadays because of its popularity. So many sites are using WordPress, with many developers building apps, themes, and extensions for it. But unfortunately this also makes it a common target for hackers.
But on the flip side, there are tons of documentation and support for WordPress and you’ll be able to secure it, no problem! The only issue is that some security methods slow your site down—BOO!
Two biggest goals of WordPress security:
- Prevent your site from getting hacked.
- Prevent bots or attacks from slowing down your server/website.
Here are some easy tactics to keep hackers/bots out without impacting server performance:
Avoid Slow Security Tactics
- IP blockers/security, any blacklists/whitelists, brute-force security, external checks on every visitor is gonna slow your site, using PHP to secure.
- Security scans, file/directory security, etc.
- Spam blocks, captchas, content-blocks…these add JS load.
- There’s also many useless features that security plugins add to appear more “full-featured”.
I’m not against doing any of these things, I don’t agree with how they’re implemented! And if you have CloudFlare, you don’t need many of them. Just remember that security is best done at server level, not software (php) level. Php is meant for application processing, not security. Kind of like using your GATE for security, rather than your doors and windows.
Let’s start with some actual security tips…
1. Choose properly-coded plugins (and keep them updated)
Most people think they’re already doing this but they’re not. Just because a plugin is popular and used by many doesn’t mean it’s well-coded. Please have a respected developer review the plugin or at least look up reviews online to see how certain plugins are viewed by again…RESPECTED DEVELOPERS!
2. Protect wp-admin from brute force
METHOD A) Use a security plugin to protect against brute force
- Something like WordFence.
METHOD B) Set-up HTTP AUTHENTICATION for your wp-admin login
- Very simple tactic that locks down your admin page. They can’t brute force it if they can’t get in! This is simple tactic that keeps your server from being slowed down.
3. Block XML-RPC protocol (if you’re not using it)
This protocol allows you to log into your WordPress from other apps like on your phone, desktop, etc. If you’ve always logged into your WordPress site from your browser, then you don’t need it. You can disable it easily from your htaccess file. Simple add the code below:
Deny from all
4. Other tactics
These can be useful extra precautions:
- Do not use the default “admin” user name, pick something else.
- Change login page from wp-login.php to something else.
- Change table prefix from “wp_” to anything else.
- Login attempts blocker – install a plugin to limit the number of failed login attempts.
- Prevent .php files from being in run in certain directories…like the wp-uploads directory.
- Installing regular malware scan – this will affect performance, only use as necessary!
- Firewall – you don’t need a plugin for this, simple edit your htaccess!
- DB password – don’t use the same password for your database as you would for WP-admin or email accounts.
5. Use a CDN
Using any CDN, like CloudFlare (free) is especially fantastic for preventing DDOS and attacks. Their servers block bots and bad traffic from ever hitting your server so that you’ll never have to process any of that. It’s a great way to secure your site and improve performance at the same time.
6. Set up Backups
Make sure you have a backup in case anything happens and you’ll be able to restore easily! Check out my WordPress backup plugin reviews.
What about WordPress security plugins?
Unfortunately many of them slow down your website and use php code to run features that could have been set up manually. The more code you run, the more your website slows down. I suggest doing as many manual options as possible. Many security measures can be done simply from your htaccess file! (No plugin needed!)
- My favorite security plugin is probably WordFence (mainly for its malware signature database).